OneDev – Self-hosted Git server with CI/CD, Kanban, and packages

75 pointsposted 7 hours ago
by jcbhmr
(onedev.io)

37 Comments

hamdingers

3 hours ago

The docker quickstart asks me to mount the docker socket, an incredibly dangerous act that fundamentally breaks the isolation that containers are supposed to provide. I see no attempt to explain why this level of access is necessary.

I can guess why you think you need it, but whatever the reason it's not good enough. If you need job workers or some other kind of container, tell me how to run those with docker compose.

franga2000

an hour ago

It breaks the isolation for that one container, the rest are just fine. That's clearly done in order to dynamically spin up CI/CD containers, which you obviously can't do with something like compose.

I get why you don't want to do that on a machine running other things and I wouldn't either, but you're pretending like this is such a strange, unnecessary and unexpected thing to require, when in reality, basically everything does it this way and there isn't really a good alternative without a ton of additional complexity the vast majority of people won't need.

soraminazuki

5 minutes ago

It's poor security practice that shouldn't be overlooked. Mounting the Docker socket effectively allows the entire application to run with root privileges on the host. Given that this seems to be a multi-tenant application, the implications are even more concerning. The component responsible for spinning up CI/CD containers shouldn't operate within the security boundary of the rest of the application.

hamdingers

11 minutes ago

> It breaks the isolation for that one container, the rest are just fine.

Wrong. A container with access to the socket can compromise any other container, and start new containers with privileged access to the host system.

It compromises everything. This is a risk worth flagging.

worldsayshi

an hour ago

Isn't kaniko designed to solve this?

franga2000

36 minutes ago

As far as I know kaniko handles the "I'm a CI job inside a container and I want to build a container image" part. The reason CI/CD runners need socket access is to create those job containers in the first place. Using Podman to create job containers inside the app Docker container would be a solution, but Podman containers have many subtle incompatibilities with Docker and its ecosystem, so it makes sense they wouldn't want to use that, at least by default.

goofiw

5 hours ago

This looks super cool - especially given the changes to github’s leadership.

One minor note - on mobile safari there didn’t seem to be any state update on press of buttons, and submission was not clear until the backend server seemed to respond. My internet connection is a little slow and it was unclear tapping the button worked. I would expect a little loading state or at least ui to show the button as disabled during submission.

eikenberry

4 hours ago

    Code discussion anywhere anytime
    
    Select any code or diff to start discussion. Suggest and apply changes. Discussions stay with code to help code understanding.
How do the discussions stay with the code? Git notes?

Havoc

4 hours ago

I recall looking at it maybe 2-3 years ago and deciding against it. And it never seemed to get traction in the selfhosted community either.

...but I can't for the life of me recall why. Definitely wasn't a radioactive red flag issue...but some aspect around CI wasn't for me.

In general though with things like this that carry an open license and have a docker image you're better off trying it yourself than listening to randoms like me

s09dfhks

4 hours ago

This is why I dropped it. The CI/CD configurations were some weird proprietary format where as gitlab/gitea/forejo are all (mostly) feature compliant with my already existing github workflow files

elevation

4 hours ago

I evaluated moving from Gitea to OneDev before Gitea had CI. OneDev was useable, I didn't mind it, but I don't run java anywhere else so I decided against adopting it. A few years later and now Gitea/Forgejo are at feature parity.

jamesu

2 hours ago

For me the bus factor was a bit of a red flag, plus I prefer the layout in forgejo/gitea. Also didn't like that there wasn't really any obvious way to link in an external CI, and of course it's written in java so had that to factor in too.

kachapopopow

4 hours ago

Seems like heavier version of gitea with a pricing section.

hk1337

4 hours ago

Ooh! My interest is peaked seeing it is written in Java.

aime4money

5 hours ago

Fossil is that you?

fair_enough

4 hours ago

Fossil started as "not invented here", but it has grown into something I like a lot more than Git. Knowing how to use a version control system should be an incidental skill (akin to simple shell commands like "cp" and "ln"), not something that needs to be mentioned in a job posting's role description.

I also appreciate that the default workflow for undoing bad merges is a whiteout rather than a true "delete".

To each his own, but having worked with CVS, SVN, Perforce, Git, and Fossil, the centralized model is much less work for release engineering and administration most of the time. If I were a maintainer of the Linux kernel of one of the many Linux distros where you have potentially thousands of contributors to one codebase, I would use git because it scales up better.

However, I wouldn't underestimate the value of scaling down well, especially for all the people around here building some startup out of a barndominium. A VCS that includes its own GUI-based admin tool and is simple enough to used by some high school intro to web design class is a good thing in my book.

MangoToupe

2 hours ago

I was turned off by the necessity of using users and permissions; it feels unnecessary for local development and kind of a PITA if you have many repos.

It works exactly as advertised though; my gripes aren't technical.

fair_enough

42 minutes ago

I can understand that, but it sounds more like an argument in favor of ye-olde CVS than git... Not that I ever have nor desire to manage my own git server, which would involve its own authentication and administrative tasks.

Note: Before some third person pitches in their condescending two cents on the limitations of CVS, nobody here is recommending CVS.

odie5533

4 hours ago

Why do people self-host things like this instead of Github or Gitlab? I don't want to maintain more services for my services. Who has time for that.

homebrewer

4 hours ago

Our gitea instance had roughly five minutes of downtime in total over the past year, just to upgrade gitea itself. All in the middle of the night. How much downtime has GitHub seen over the same period, and how many people's work was affected by that?

pheggs

4 hours ago

I've been hosting a git service for quite a while now and it's maybe around half an hour per year of maintenance work. It's totally worth it in my opinion, it's so much better on almost every way ... One big reason is decentralization. Full control of data, change what you want, then things like the current npmjs attack show the downsides of having everyone using the same thing, and so much more

odie5533

3 hours ago

Backups, OS upgrades, version upgrades, firewall management, DDoS management. I just find self-hosting to be excessive to do right.

pheggs

3 hours ago

its not that hard though, and to be honest I trust myself more than a large org like microsoft to get that right

chasd00

3 hours ago

tinkering with services and networks and the whole self-hosting concept is pretty fun for many people.

abdullahkhalids

2 hours ago

A better question is why does it take any time to maintain a tool like this? I spend zero time maintaining my open-source browser (Firefox). It just periodically updates itself and everything just works. I maybe spend a bit of time maintaining my IDE by updating settings and installing plugins for it, but nothing onerous.

A tool like this is not fundamentally more complex than a browser or a full-fledged IDE.

elevation

4 hours ago

One answer might be to avoid LLMs training off the intellectual property that your humans typed out for you. But as LLM code generation tools take off, it's a losing battle for most orgs to prevent staff from using LLMs to generate the code in the first place, so this particular advantage is being subverted.

odie5533

3 hours ago

This probably only matters for 1-2 years tops. LLMs are taking off pretty fast.

d12bb

4 hours ago

Especially as self-hosting means loosing the community aspect of GitHub. Every potential contributor already has an account. Every new team member already knows how to use it.

nirvdrum

4 hours ago

You’re assuming people are self-hosting open source projects on their gut servers. That’s often not the case. Even if it were, GitHub irked a lot of people using their code to train Copilot.

I self-host gitea. It took maybe 5 minutes to set up on TrueNAS and even that was only because I wanted to set up different datasets so I could snapshot independently. I love it. I have privacy. Integrating into a backup strategy is quite easy —- it goes along with the rest of my off-site NAS backup without me needing to retain local clones on my desktop. And my CI runners are substantially faster than what I get through GitHub Actions.

The complexity and maintenance burden of self-hosting is way overblown. The benefits are often understated and the deficiencies of whatever hosted service left unaddressed.

rmoriz

3 hours ago

Microsoft/GitHub has no model training. How do you think Copilot works? Also if you provide open source, people and companies are gonna use it.

bigfishrunning

3 hours ago

When I publish open source code, I don't mind if people or companies use it, or maybe even learn from it. What I don't like is feeding it into a giant plagiarism machine that is perpetuating the centralization of power on the internet.

nirvdrum

2 hours ago

> Microsoft/GitHub has no model training. How do you think Copilot works?

I'm sure if you used that big, smug brain of yours you'd piece together exactly what I meant. Here's a search query to get the juices flowing:

https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...

Whether you agree with why someone may be opting to self-host a git server is immaterial to why they've done so. Likewise, I'm not going to rehash the debate over fair use vs software licenses. Pretending like you don't understand why someone that published code under a copyleft license is displeased with it being locked in a proprietary model being used to build proprietary software is willful ignorance. But, again, it makes no difference whether you're right or they're right; no one is obligated to continue pushing open source code to GitHub or any other service.

pheggs

3 hours ago

I mean git was exactly designed to be decentralized

kachapopopow

4 hours ago

because: 1) privacy - don't want projects leaving a closed circle of people 2) compliance - you have to self-host and gitlab/github are way too expensive for what they provide when open-source alternatives exist 3) you just want to say fuck you to coorperate (nothing is free) and join the clippy movement.

hamdingers

4 hours ago

As a mirror of my GitHub repositories following the 3-2-1 backup principle.